Vite Frontend Framework Vulnerability in JavaScript Tooling
CVE-2025-58751

2.3LOW

Key Information:

Vendor: Vitejs
Status: Vite
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-58751?

A vulnerability in Vite, a popular frontend tooling framework, enables unauthorized file serving when specific conditions are met. If applications expose the Vite dev server to the network and utilize symlinks in the public directory, attackers can serve files that match public directory names, effectively bypassing critical server-side restrictions. This issue has been resolved in versions 7.1.5, 7.0.7, 6.3.6, and 5.4.20, underscoring the importance of updating to the latest software releases to maintain security.

Affected Version(s)

vite < 5.4.20 < 5.4.20

vite >= 6.0.0, < 6.3.6 < 6.0.0, 6.3.6

vite >= 7.0.0, < 7.0.7 < 7.0.0, 7.0.7

References

https://github.com/vitejs/vite/security/advisories/GHSA-g...

x_refsource_CONFIRM

https://github.com/lukeed/sirv/commit/f0113f3f8266328d804...

x_refsource_MISC

https://github.com/vitejs/vite/commit/09f2b52e8d5907f2660...

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Sep 4, 2025

Vitejs

What is CVE-2025-58751?

Affected Version(s)

References

CVSS V4

Timeline